United Airlines uses multiple-choice security questions.

Just When You Thought Website Security Questions Couldn’t Get Any Worse

Just When You Thought Website Security Questions Couldn’t Get Any Worse

The citizen’s guide to the future.
March 23 2016 12:11 PM
FROM SLATE, NEW AMERICA, AND ASU

None of the Above

Why is United using multiple-choice security questions?

United Airlines assures us that breaking into users' MileagePlus accounts would be hard to do.
United Airlines assures everyone that breaking into users' MileagePlus accounts would be hard to do with its new security measures.

Stephen Brashear/Getty Images

United sports
United Airlines' new multiple-choice security questions are slim on security.

United Airlines

Website security questions stress me out. How am I supposed to choose and remember a favorite book or favorite teacher? What if I’ve never had a pet? What if my high school’s mascot was a battered bronze lamp that was ceremonially passed from the graduating senior class president to the incoming senior class president at commencement every year while the rest of us sang a high-pitched anthem that began, “Great lamp whose light alone can show among the devious paths of life/ Which way our stumbling feet must go to reach the peace beyond the strife”? (Don’t get me wrong, if a website required me to write out all the lyrics to both verses of “Lamp of Learning” in order to authenticate my account, that would probably pretty drastically reduce the number of potential hackers.)

So answering security questions can be tricky. You want to choose something that’s not so easy anyone trying to get into your account will be able to easily figure it out (see: mother’s maiden name, city where you were born, high school), but not so hard that you run a good risk of being unable to retrieve your answer several years down the road (see: pretty much everything else).

Advertisement

In February, United Airlines decided to make this process both more and less stressful when it rolled out a set of security changes to its MileagePlus accounts, including new security questions with a drop-down list of possible answers instead of a blank space for you to type your own. For those of us who have trouble selecting favorite books or movies, it made things a little easier, in that it reduced the list of possible answers to a manageable 29 or 30 options. Of course, if your favorite pizza topping was not among the limited choices provided, the odds that you would remember having chosen giardiniera or za’atar or mashed potato (is that a pizza topping?) are pretty slim.

United pizza toppings

United Airlines

Even more confusing are questions like “What was the first major city that you visited?” since there’s no way to guarantee that your response will be on the list of possible answers.

Several users on the FlyerTalk forum noted the peculiarity of these questions and the drop-down format. One wrote:

If you have trouble choosing an answer from the choices presented then you are more likely to forget. Writing the answers down is a no no like with a password. Another problem I have with the use of preselected answers is the potential for profiling customers to shape product offerings and pricing. I prefer to use my own answers that are random and unique, easy to remember while not useful to others.
Advertisement

The user is right—from a security perspective, there are some pretty clear drawbacks to this system. For one thing, it reduces the number of possible answers to each question, making it that much easier for someone who is not you to guess your answer and access your account. For another, it makes it much harder for you to remember your answers and use them to access your account (that is, unless you’re one of the lucky people for whom Cardiff was the first major city you ever visited). This approach would seem to undo the whole point of security questions: coming up with a way for you to easily authenticate yourself by providing information that you can easily recall but would be difficult for anyone else to guess.

United representative Luke Punzenberger referred my questions about the system to a statement that the airline had posted on FlyerTalk, which explained that the drop-down answer selection was meant to thwart attackers using keyloggers who could intercept your responses if you typed them in on your own computer. According to the statement, United conducted research that showed that “the vast majority of security issues that customers have with their accounts can be traced to computer viruses that record your typing.” This in itself is fascinating—how did United figure out that its users were being targeted by keylogging software? Are United MileagePlus members somehow especially susceptible to keylogging malware? Did the airline survey its customers, and if so, how did those users know that they had been targeted by keyloggers? Or did it try to actually scan machines or browsers used by customers in some manner? Punzenberger declined to elaborate on the precise nature of the research, citing security concerns.

Due to the concerns about keylogger malware, United “purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging.” This makes sense—if you’re not typing in a response, then the keylogger that is apparently almost certain to be installed on your machine if you regularly fly United cannot capture that response.

There are a lot of other things that don’t make much sense, though, including why someone who installed a keylogger on your machine would bother with your airline website security question. Instead, he could be intercepting and exploiting all your passwords for pretty much every account you have. (If you are concerned about keyloggers, there are a number of other possible lines of protection, including using a password manager to input passwords, copying and pasting a password from a secure USB drive, and two-factor authentication.)

Advertisement

In general, phishing and dictionary attacks are probably more common security threats to your online accounts than keylogger software. Keylogging is effective for stealing credentials, yes, but it requires a fair bit of work to sift through every single keystroke you make and identify the useful information. If you’re trying to compromise accounts in bulk, it’s often easier to just send a phishing email and harvest passwords directly. If keylogging really is a significant problem for United accounts, then the airline’s new questions may in fact help reduce the number of compromised accounts, though it may also create new avenues for bad actors to compromise those accounts by guessing answers from the relatively short list of randomly generated responses given to each user.

United assures us that that would be hard to do. “We designed the questions to be difficult to answer through your social media accounts, which is why they may seem peculiar,” the statement notes. “If you’re not sure, try to answer two of your own questions selected at random about a Facebook friend of yours selected at random. We played this game quite a bit during the development program and found it very difficult.” But the point is not that someone is going to stumble across a photo of you eating mashed potato pizza on Facebook and compromise your account that way—the point is that someone has a 1 in 30 chance of choosing the right answer by just guessing at random and would only need 30 tries to be all but assured of success. United can, of course, limit the number of times you can answer those questions incorrectly before being locked out of your account, but in that case, you better hope you can remember who you said your favorite artist was. On the bright side, at least you’ll be safe from keyloggers.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.